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We employ supervisory controllers to safely coordinate high-level discrete(-event) behavior of dis- 
tributed components of complex systems. Supervisory controllers observe discrete-event system 
behavior, make a decision on allowed activities, and communicate the control signals to the involved 
parties. Models of the supervisory controllers can be automatically synthesized based on formal 
models of the system components and a formalization of the safe coordination (control) require- 
ments. Based on the obtained models, code generation can be used to implement the supervisory 
controllers in software, on a PLC, or an embedded (micro )processor. In this article, we develop a 
process theory with data that supports a model-based systems engineering framework for supervisory 
coordination. We employ communication to distinguish between the different flows of information, 
i.e., observation and supervision, whereas we employ data to specify the coordination requirements 
more compactly, and to increase the expressivity of the framework. To illustrate the framework, 
we remodel an industrial case study involving coordination of maintenance procedures of a printing 
process of a high-tech Oce printer. 



1 Introduction 

Traditional software development techniques proved insufficiently flexible for development of quality 
control software, establishing the latter as an important bottleneck in design and production of complex 
high-tech systems lfl3l . This gave rise to supervisory control theory of discrete-event systems ll20l 18) 
that studies automatic synthesis of (discrete-event) models of supervisory control software. 

1.1 Supervisory Control 

Supervisory controllers safely coordinate high-level system behavior, relying on observations made re- 
garding the discrete(-event) system behavior by using sensory information, as depicted in Figure [T^). 
Based upon the observed signals, the supervisory controllers make a decision on which activities are 
allowed to be carried out safely, and send back control signals to the hardware actuators. By assuming 
that the supervisory controller reacts sufficiently fast on machine input, one can model this supervisory 
control feedback loop as a pair of synchronizing processes Il20l l8l. The model of the machine, which is 
referred to as plant, is restricted by the model of the controller, referred to as supervisor. The synchro- 
nization of the supervisor and the plant, results in the supervised plant, which models the supervisory 
control loop, i.e., it specifies the behavior of the supervised system. 

The activities of the machine are modeled as discrete events, whereas the supervisor is a process that 
synchronizes with the plant, and traditionally, it disables events by not synchronizing with them, whereas 
it enables events by synchronizing with them I20l l8l. As a result, the supervisor comprises the complete 
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Figure 1: a) Supervisory control; b) Supervisory control feedback loop with data-based observations 



history of the supervised system, i.e., it enumerates the state space of the supervised system [8, :3]- The 
events are split into controllable events, which can be disabled by the supervisor in order to prevent 
potentially dangerous or otherwise undesired behavior, and uncontrollable events, which must never 
be disabled by the supervisor. The former model activities over which control can be exhibited, like 
interaction with the actuators of the machine, whereas the latter model activities beyond the control 
of the supervisor, like observation of sensors or user interaction with the environment. Moreover, the 
supervised plant must also satisfy the control requirements, which model the safe or allowed behavior of 
the machine. In addition, it is typically required that the supervised plant is nonblocking, meaning that it 
comprises no deadlock and no livelock. To this end, every state is required to be able to reach a so-called 
marked or final state I20l l8l. which denote states in which the plant is considered to have successfully 
completed its execution. The conditions that ensure the existence of such a supervisor are referred to as 
(nonblocking) controllability conditions l20l l8l. 



1.2 Motivation and Contributions 

Our initial motivation for developing a process theory that distinguishes between the different flows of 
information between the plant and the supervisor is the oversimplification of the modeling of the super- 
visory control loop in the original proposal of Il20l l8l. This manner of representation of this communi- 
cation, by means of synchronizing action using automata-style synchronization, still prevails in modern 
state-of-the-art approaches, like lfTTl l9l [T9ll24ll . This is duely noted in [5], where a proposal is given to 
separate the different flows of information and to give a separate characterization of the process forms of 
the plant and the supervisor. 

The approach investigated in [ 5 ] relies on propositional signals that stem from the states such that 
the supervisor has (intrinsic) knowledge regarding the state of the plant. Typically, state- or data-based 
approaches to supervisory control lfl4l [131 181 require the use of an observer, which represents an addition 
to the plant as depicted in Figure Q})). The observer derives the state of the plant based on the history of 
observed events such that it can be directly communicated to the supervisor and employed for supervi- 
sion. There are a couple of issues in the proposal of [5 ] when attempting to employ the process theory for 
modeling of supervisory control loops similar to the one depicted in Figure [TJ)). Namely, the semantics 
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of the propositional signals relies on a predefined nondeterministic valuation effect function that updates 
the propositional signals based on the label of the taken transition and a set of possible future propo- 
sitional signals [5]. This inevitably leads to unnecessary nondeterministically-chosen deadlock states 
when the intended propositional signal is not observed, making these deadlock states hard to interpret in 
a supervisory control setting. In addition, the observation of signals implicitly implies that the supervisor 
observes the state of the plant, not distinguishing between the plant and the observer. Admittedly, this 
is a standard practice, especially when modeling complex systems and development of compact and ap- 
proachable models is of interest. Nonetheless, the underlying process theory should depict these nuances 
in a subtler manner. 

To address the issues outlined above, we propose to replace and extend the propositional signals with 
variable assignments, which dynamically determine the valuation effect function resolving the first issue. 
As a welcome side effect, we obtain a compacter set of operational rules than the one presented in Q. 
Moreover, by not having to implicitly couple the semantics of states with propositional signals, we have 
the option to model observers either as an intrinsic (integrated) part of the plant or as a separate process. 
In the setting of this paper, we rely on data-based observations, as depicted in Figure [Q)). As discussed, 
the plant is augmented with an observer process, which may assign auxiliary data variables, based on the 
history of observed event. These data is required by the supervisor in order to make the correct control 
decision. We illustrate the situation by an example. 




Figure 2: a) A plant that models the behavior of an automated guided vehicle; b) An observer that keeps 
track of the location of the vehicle of a); c) A supervisor that ensures proper coordination of the vehicle 
of a) 

Example 1 Let us assume that we have an automated guided vehicle that is capable of traveling to two 
positions, say A and B. We can issue two commands to the vehicle, namely gotoA and gotoB, so that 
the vehicle travels to A and B, respectively. When the vehicle arrives at the corresponding location, it 
reports back using the sensor signals arrivedA and arrivedB, respectively. We can model the behavior of 
this vehicle using the simple transition system, depicted in Figure [2J? ). Note that we distinguish between 
the direction of communicated commands and signals. By event? we denote a recipient party of the 
communication, and by event! we denote a sender party. We employ generic communication events, e.g., 
event! 2 ?3 denotes a resulting communication event that occured between two sender and three recipient 
parties. 

Now, suppose that we wish to coordinate the movement of this vehicle, such that if the vehicle is 
at location X, then we do not issue a redundant command that sends the vehicle to the location X, for 
X € {A,B}. Obviously, by employing only the transition system in Figure\2jpi) such coordination is not 
possible, since the model of the behavior of the vehicle does not comprise information regarding the 
location of the vehicle. To this end, we need an observer, which updates a variable, say L, with respect to 
the current location of the vehicle, as depicted in Figure\2%)). The observer waits for confirmation signal, 
sent from the vehicles, that it has reached the corresponding location in order to update its status. By 
employing this location information, the supervisor can make the correct decision on which command is 
allowed to be issued. 
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Now, we can state the coordination or control requirements, based on the data observations as: 
if L = X, then the event gotoX should not be enabled, for X G {A,B}. By employing these control 
requirements, we can synthesize the supervisor depicted in Figure Wp)- We note that the supervisor 
enables the movement commands, relying on guards that observe the shared location variable that is 
provided by the observer. 

To capture the controllability conditions involving the plant, the control requirements, and the super- 
visor we rely on a behavioral preorder termed partial bisimulation. In essence, we employ this preorder 
to state a relation between the supervised plant and the original plant allowing controllable events to be 
simulated, while requiring that uncontrollable event are bisimulated. This ensures that the supervisor 
does not disable uncontrollable events, while preserving the branching structure of the plant. Previous 
proposals like [11] and (191 rely on the process theory CSP LI 2], whereas other approaches rely on 
trace-based notions to capture controllability (9j|24l. In ifTTl the theory is extended with a specialized 
prioritized communication operator that captures the communication between the plant and the supervi- 
sor, later replaced by a refinement relation in failure semantics fT9l . The control requirements depend on 
the observed data, and they are given in terms of global invariants that depend on the allowed data assign- 
ments, or they specify when a given event is allowed or disallowed, similarly to the informal specification 
of the control requirements in Example Q] 

In the remainder of this paper, we first present the process theory and, thereafter, we discuss its ap- 
plication in a model-based systems engineering framework for supervisory coordination and control. To 
illustrate the framework, we revisit a case study that deals with coordination of maintenance procedures 
of a printing process of an Oce prototype printer ifToll . The control problem is to synthesize a supervisory 
coordinator that ensures that quality of printing is not compromised by timely performing maintenance 
procedures, while interrupting ongoing print jobs as little as possible. Unlike previous attempts (5J, we 
parameterize the model to handle multiple maintenance procedures concurrently. Due to confidentiality 
issues, we can only present an (obfuscated) part of the case study. 

2 Communicating Processes with Data 

To model data elements and guards, we extend the process theories BSP | of ES and TCP* of (5J, thus 
obtaining communicating processes with data. The result is a process theory encompassing successful 
termination that indicates final or marked states (201 181. which model that the plant can successful termi- 
nate its execution; generic communication action prefixes with data assignments, which model activities 
of the plant and enable a dynamic valuation effect function; guarded commands, which condition transi- 
tions based on data assignments, and enable data observation and support supervision; sequential com- 
position, which is an auxiliary operator required for definition of recursive processes; iteration to specify 
recurring behavior; and ACP-style parallel composition with synchronization [20] and encapsulation, 
which model together a flexible coupling in the feedback control loop based on given communication 
parties. We note that additional process operations can be easily added in the vein of (21 [5j. 

We remark that the synthesis tool Supremica [1], which we employ in the implementation of the 
model-based system engineering framework, supports the automata-like synchronization of (20l [U, 
which is standardly used in supervisory control theory. Moreover, there exists no distinction between 
sender and receiver parties in the parallel composition. The automata-like parallel composition synchro- 
nizes on all events from all processes that are in the common alphabet, whereas the remainder of the 
events is interleaved. It is not difficult to show, e.g., in the vein of (7], that our setting subsumes this 
parallel composition. 
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2.1 Syntax 

In principle, we allow data elements to be of any type, given by the set D, even though only finite integer 
and enumerated types are currently supported by the synthesis tool [ Q. By V, we denote the set of data 
variables, and by F, data expressions involving standard arithmetical operations supported by Suprem- 
ica fl]. The arithmetical operations are evaluated with respect to e: F — > D. The guarded commands 
are given as Boolean formulas, whereas the atomic propositions are given by the predicates from the set 
{<,<,=, T^j >, >} and the logical operators are given by {->, A, V, =>}, denoting negation, conjunction, 
disjunction, and implication, respectively. We use B to denote the obtained Boolean expressions, which 
are evaluated with respect to a given valuation v : B — > {false, true}, where false denotes the logical value 
false, and true the logican value true. To this end, we update variables by a partial variable update func- 
tion /: V — D. The updating of variables is coupled with the action transitions that are labeled by actions 
from the set A. The set A is formed by all possible communication actions over a set of channels H, i.e, 
A = {c! m ?„ | m,n G N,c G H}. We write c\ n for c!„?o and c?„ for c!o?« for n G N and c G H, and we write 
cl for c!i and c? for cl\. The set of process terms T is induced by T , given by: 

T ::=0 | 1 | a[f].T \ (j) :->T \ d H (T) \ T + T \T T \T* \ T \\T 

where a G A, /: V — F, G B, and H C A. Each process p G T is coupled with a global variable 
assignment environment that is used to evaluate the guards and keeps track of updated variables, notation 
(/?, (a , p ) ) G T x £ for £ = ( V — >F)xV. By a : V — >• F we denote the assignment of the variables in order 
to consistently evaluate the guards, whereas the predicate p C V keeps track of the updated variables, 
which is needed for correct synchronization. We write a = (a, p) for a G L, when the components of the 
environment are not explicitly required. The initial assignment Ob = (d!o,D(ao))> where D(/) denotes 
the domain of the function /, provides the initial values of all variables that the process comprises. 

The theory has two constants: denotes deadlock that cannot execute any action, whereas 1 denotes 
the option to successfully terminate. The action-prefixed process with variable update, corresponding 
to a[f].p, executes the action a, while updating the data values according to /, and continues behaving 
as p. The guarded command, notation <p :— > p, specifies a guard <p G B that guards a process p G T. If 
the guard is successfully evaluated, the process continues behaving as p G T or, else, it deadlocks. The 
encapsulation operator d# (p) encapsulates the process p in such a way that all communication actions in 
H that are considered as incomplete are blocked, so that the desired type of communication is enforced. 
For example, if we were to enforce communication between k processes over channel c, then H = {c! m ?„ | 
< m + n, m + n ^ k}. The sequential composition p ■ q executes an action of the first process, or if 
the first process successfully terminates, it continues to behave as the second. The unary operator p* 
represents iteration, or the Kleene star, that unfolds with respect to the sequential composition. The 
alternative composition p + q makes a nondeterministic choice by executing an action of p or q, and 
continues to behave as the remainder of the chosen process. The binary operator p || q denotes parallel 
composition with generic communication actions, where the actions of both arguments can always be 
interleaved or, alternatively, communication can take place over common channels, keeping track of the 
number of involved sender and receiver parties. 

2.2 Structural Operational Semantics 

We give semantics in terms of labeled transition systems coupled with a environment that keeps track of 
the valuation of the data variables and the updated variables. The states of the labeled transition systems 
are labeled by the process terms themselves, and the dynamics of the process is given by a successful 
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Figure 3: Operational rules 



termination option predicate | C T x I, that plays the role of final or marked states for nonblocking 
supervision Il20l l8l. and an action transition relation — > C (T x E) x A x (T x E). We write (p, a) J, for 
(p,a) G |and (p,o) (p',o') for ((p,o),a,(p' ,&)) G — K 

To present concisely the update of the assignments, we introduce several auxiliary operations. We 
write f\c for the restriction of the function / to the domain C C D(/), i.e., f\c = {x4 f(x) \ x G 
C}. Also, we introduce the notation f{fi } ... {/«}, where / : A — > B and /, : A — B for 1 < i < n are 
partial functions with mutually disjoint domains, i.e., D(/|) flD (/_,•) = for z 7^ j. For every x G A, 
we have that /{/1} . • • {f n }(x) = fj(x), if there exists some j such that 1 < j < n and x G D (/,•), or 
. . . {/«}(jc) = f(x) otherwise. We define | and — >• using structural operational semantics (H, 
depicted by the operational rules in Figure [3] We note that symmetrical rules are not depicted, and their 
number is only denoted in brackets next to the number of the rule that is to be applied for the process on 
the left side of the operation. 

Rule 1 states that the termination constant has the option to successfully terminate. Rule 2 states that 
the action prefix enables action transitions, whereas the target assignment must be updated accordingly. 
Namely, the variables in the domain of the partial variable assignment function are updated with the 
evaluated data expression. Rules 3 and 4 state that the alternative composition can successfully terminate 
if one of its summands has the option to successfully terminate. Similarly, action transitions are possible 
in the alternative composition if one of its summands can perform them, as given by rules 5 and 6. 
Rule 7 states that the sequential composition has a termination option if both of its components have a 
termination option. If the first component terminates, then the sequential composition continues behaving 
as the second component, as given by rule 8. If the first component can perform an action transition, then 
the target process sequentially composes the target of the action transition of the first component with 
the second component, as given by rule 9. Iteration always has a termination option as given by rule 10, 
because of properties of composition of recursive processes 0. Rule 11 shows that iteration unfolds 
with respect to sequential composition. Rule 12 states that the parallel composition can successfully 
terminate only if both of its components have successful termination options. Rules 13 and 14 enable 
interleaving in the parallel composition, even interleaving of transitions that stem from the same channel. 
Synchronizing of action transitions is possible for action that stem from the same channel as depicted 
by rule 15. The resulting communication action must account for the accumulative number of sender 
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and receiver communication parties. The sets p' and p" identify the updated variables, so the common 
updated variables are given by p'np". The target environment updates the target environment of the 
first component with the remaining target environment of the second component, which can also be done 
symmetrically with respect to the second component. Rules 16 and 17 state that if the propositional 
guard is successfully evaluated, then the guarded command can successfully terminate or perform an 
action transition, respectively, provided that the guarded process can do so. Rule 18 states that successful 
termination is not affected by the encapsulation operator, whereas rule 19 states that all actions in the 
parameter set H C A are blocked. 

2.3 Partial Bisimulation 

The behavioral relation that we employ is an extension of partial bisimulation [3 ], which is able to handle 
data and variable assignments. Here, we directly employ the approach of (6) 13, where this extension is 
shown for bisimulation. 

A relation R C T x T is said to be a partial bisimulation with respect to a bisimulation action set B C 
A, if for all (p,q) G R and a G E, it holds that: 

1. (p, a) 4- if and only if (q, a) |; 

2. if (p, o) —?' (p' , o') for a G A, then there exist q' G T and a' G £ such that {q, o) — > (q' , o') and 
(p',q')eR; 

b b 

3. if (q, a) — > (q , a) for b G B, then there exist p G T and a' G £ such that (p, a) — > (p, a'} and 
(p',q')eR. 

If R is a partial bisimulation relation such that (p,q) G R, then p is partially bisimilar to q with respect to 
B and we write p <b q- If q P holds as well, we write p^sq- 

It is not difficult to show that partial bisimilarity is a preorder for the process terms in T following 
the guidelines of 0. In addition, following the guidelines of 11211 . it can be shown that is a partial 
bisimulation relation with respect to B C A. Thus, we obtain the partial bisimulation preorder and equiv- 
alence, similarly as for simulation preorder and equivalence ifTOll . Moreover, the partial bisimulation 
preorder can be shown a precongruence for the considered processes operations following the guidelines 
of Q O, where a suitable extension to the tyft format for structural operational semantics with data 
of lfT8l is proposed. Consequently, the partial bisimulation equivalence is a congruence, which enables 
us to build a standard term model using the quotient algebra modulo ffg in the vein of (H. Finally, we 
note that p-^^q amounts to bisimulation Q, whereas p<%q reduces to simulation preorder (3) and 
p Ob q reduces to simulation equivalence O for processes with data ElfTUll. 

3 A Process-Theoretic Approach to Supervisory Coordination 

First, we characterize the process terms that can be used to specify the plant and the supervisor. Thus, 
we distinguish between the two different flows of information on syntactic level. We employ the notion 
of partial bisimulation to define the relationship between the plant and the supervisor in order to ensure 
that the supervisor does not disable any uncontrollable events. Thereafter, we identify a set of data-based 
control requirements that are typically employed in specification documents. Finally, we describe the 
model-based system engineering framework and we discuss its implementation. 
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3.1 Plant and Supervisor Syntax 

We distinguish between controllable and uncontrollable actions transitions that stem from the sets of 
controllable He and uncontrollable Hy channels, where He Pi Hy =0 and He U Hy = H. We put C = 
{c! m ?„ | m,n G N, c G He} and U = {u\ m ? n \ m,n G N, u G Hy}. We model marked states by adding a 
successfully termination option to the corresponding state. We note that in the process theoretic setting, 
successful termination plays an additional role of enabling the sequential composition of processes GJ[5), 
which is not present in the automata theory of EUl HI. We restrict the syntax of the plant and the 
supervisor, given by P and S, respectively, as follows: 

P::=0 \ 1 | c\[f].P | u\ m l n [f].P \<j>:^P\d H (P)\P + P\P-P\P*\P\\P 
S::=l\c\[9]J5\S + S\Q:->S\S*, ' 

where c € He, u G Hy, /: V — F, m,n G N, G B, and H C A. We note that we specify a monolithic su- 
pervisor, i.e., the supervision is executed by a single process. For modular or distributed supervision (H, 
the syntactic form of the supervisor from dTJ should be adjusted appropriately, so that it can admit several 
concurrent communicating processes. 

We require the supervisor to be a deterministic process O, which sends feedback to the plant in 
terms of synchronizing controllable events, and it does not alter the state of the plant in any other way, 
i.e., it comprises no variable assignments. The supervisor relies on data observation from the plant to 
make supervision decisions in the vein of ifTTl . Thus, the supervisor observes the state of the plant, 
identified by the values of the (shared) variables, and enables controllable events by synchronizing with 
a corresponding sender event. It does not influence uncontrollable events, so they are safely interleaved 
in the communication with the plant. Consequently, the supervisor does not have to keep a history of 
events, so it can be also be defined as an iterative process, which observes assigned data by employing 
guarded commands. This alternative definition is given as: 

s=(lceH c 0c:^![0].l + yA:^l)*, (2) 

where (j> c , y G B for c G He- A supervisor of form (fSJ) employs data value observation to identify the 
state of the plant and send back feedback regarding controllable events by synchronizing on self loops, 
as specified by L ce H c <Pc :— >c![0].l. It can potentially disable undesired termination options in states 
identified by \ff G B. The guards (j> c for c G He and \\f depict the supervision actions lfl7l . 

3.2 Supervised Plants and Controllability 

If we suppose that the plant is given by p G P and the supervisor is given by s G S, then the supervised 
plant can be specified as du{p \\ s) in general, where the encapsulation enforces desired communication 
and the set H C A comprises unfinished communication events, which differ per case. To ensure that no 
uncontrollable events are disabled by the supervisor, we employ partial bisimilarity to provide a relation 
between the supervised and the original plant. We note, however, that most of the other approaches, 
like EUl [8] [TTJ |24| to name a few, employ synchronizing actions, where two transitions with the same 
label synchronize in a resulting transitions, which is again labeled by that same label. In that case, the 
relation can be provided directly as in [3 ], because the labels of the transitions in the supervised and the 
original plant coincide. 

In the setting of this paper, however, we have to rename certain actions in the original plant so that 
we can mimic the presence of a supervisor, which is necessitated in order to make the plant operational. 
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Figure 4: Renaming operation that renders the controllable communication events of the plant completed 



23 M \=^=>-H' 2<| v(0) = false ^ (p,cr) 



26 



v(0) = true 



Figure 5: Satisfiability of data-based control requirements 



To this end, we employ a specific partial renaming operation £, : T (->• T that renders the controllable 
communication actions of the plant as completed. This is in accordance with the syntax of the plant 
and the supervisor specified in (Q~|), since the plant must wait for an enabling control signal for every 
controllable event. The operational rules that define the renaming operation E, are given in Figure [4] 
Now, we can specify the relation between the supervised and the original plant as: 

d H (p\\s)±u$(p). (3) 

It states that the supervised plant has controllable events enabled by the supervisor that can be simulated 
by the original plant in which all controllable events have been enabled, whereas no uncontrollable events 
can be disabled. We note that, in the setting of this paper, one can observe that the syntactical restrictions 
imposed on the supervisor actually imply this relation. 

It is not difficult to show, again in the vein of ll2Tl l3"ll7l. that the traditional notions of language-based 
controllability of Il20"l l8 l for deterministic system and state controllability |[T7l l9ll24l for nondeterministic 
systems are implied by 



3.3 Data-Based Control and Coordination Requirements 

In the setting of this paper, we consider data-based control and coordination requirements, which are 
stated in terms of boolean expressions ranging over the data variables, and may additionally specify 
which events are allowed with respect to the observed data values. For a setting with event-based control 
requirements, we refer the interested reader to |3], whereas for state-based control requirements, a pre- 
liminary investigation is given in Q. The data-based control requirements, denoted by the set R, have 
the following syntax induced by R: 

R ::= -^->=>0 | -H> | 0, 

for a € A and € B. A given control requirement r G R is satisfied with respect to the root of the process 
term p € T in the assignment environment G € E, notation (p, a) (= r, according to the operational rules 
depicted in Figure[5] By (p, a) —/-> we denote that {{p 1 , c') \ (p, g) — > (p f , g'}} = 0. 

The first form of control requirements is introduced for modeling convenience as a frequently oc- 
curring case ifTBI and it is equivalent to the second form, as given by rule 23. Rule 24 states that if 
the state does satisfy the data assignment, then the requirement is trivially satisfied. Rule 25 states a 
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Figure 6: Model-based systems engineering framework for supervisory controller synthesis 

so-called state-transition exclusion requirement |[T5l . which is satisfied if no transition with the excluded 
label is possible. Rule 26 states that a state-exclusion requirement restricts the states with the given data 
assignments, thus disabling unsafe or forbidden states, and must be upheld in every state. To ensure 
that the control requirements are globally satisfied, we extend |= to |=*, which requires that the con- 
trol requirements are satisfied for every reachable state. To this end, we first define a trace transition 
relation (p,o) — {p',o') for some t = a\...a„ G A*. If n = we have the empty trace t = £ with 
(p, a) -^-4 (p, a), whereas if n > 0, then we have (p, o) (p\ , 0\ ) — =-)• (p2, 02) ■ ■ ■ {p 1 , g') for 
some pi,... ,p n -\ € T, G\ , . . . , a„_i G E, and a\, . . . ,a„_i G A. Now, we define that p \=* r if q \= r for 
every p' G T such that (p, a) -U* (p', o') for a, a' G I and t G A*. 

To ensure that the supervised plant respects the data-based control requirements, given by R C R, we 
require that for the initial variable assignment Co G £ it holds that 

(p\\ s,o ) KArecr- (4) 

In addition, a nonblocking supervisor must ensure that every state in the supervised plant can reach 
a state that has a successful termination option, i.e., for every (p',o') G T x £ and t G A* such that 

(p || s,o ) {p',o'}, there exists (p",a") G T x £ and t' G A* such that (p',a'} -U* (p",e") and 
(p",o")l holds. 

3.4 Model-Based Systems Engineering Framework 

To structure the process of supervisory control synthesis we employ the framework depicted in Fig- 
ure [6] |l22l [T5l |4j . The modeling process begins with an informal specification of the controlled system, 
i.e., the desired product, written by domain engineers. A design of the controlled system follows, con- 
trived by domain and software engineers together. The design most importantly defines the modeling 
level of abstraction and the control architecture. Subsequently, it is used to separate the plant and the 
control requirements, a joint task of domain and software engineers. Here, a decision is made to which 
extent the control is managed by the software, and which part is implemented in hardware. The resulting 
informal documents specify the plant and control requirements, respectively. In the following, we omit 
the roles of the engineers as they are clear from the context. 
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Figure 7: Modeling of the printing process function 



Most plants typically contain (continuous) hybrid behavior, whereas supervisor synthesis requires a 
discrete-event abstraction. The hybrid model is suitable for simulation purposes, and it can be abstracted 
to a discrete-event model for synthesis purposes ll20l l8l. Alternatively, a discrete-event model can be 
made, and subsequently refined ll23l . In the design of the plant, decisions are made on the level of 
abstraction that is used, and what is significant discrete-event and hybrid behavior. In parallel, a model 
of the control requirements is made following the specification documents. The discrete-event model 
of the plant, together with the model of the control requirements, are input to the synthesis tool, which 
automatically synthesizes a supervisor. 

Software-in-the-loop simulation is used to validate the supervisor coupled with a hybrid model of 
the plant, and hardware-in-the-loop simulation can be used to validate the supervisor against a prototype 
of the plant. If the validation is not satisfactory, the control requirements and/or the plant model need 
to be remodeled or redefined. In certain cases, a complete revision proves to be necessary, which might 
even require redefining the specification of the whole controlled system. Finally, the control software is 
generated automatically, based on the validated models. Note that software engineers in the framework 
act more as 'model' engineers, shifting their focus from writing code to modeling. 

We opt for Supremica HI as a synthesis tool because it provides the greatest modeling convenience 
and range of options with respect to specifying plants with data and optimized synthesis procedures ifTTl . 
We remark that the state-of-the-art synthesis tools support the prevailing automata-style specifications 
and composition HI El- To be able to execute industrial case studies, we are impelled to translate the 
original process-algebraic specification to an input accepted by the tool. 

4 Coordinating Maintenance Procedures of a Printing Process Function 

An abstract view of the control architecture of a high-tech printer is depicted in Figure [7] Print jobs are 
sent to the printer by means of the user interface. The printer controller communicates with the user 
and assigns print jobs to the embedded software, which actuates the hardware to realize print jobs. The 
embedded software is organized in a distributed way, per functional aspect, such as, paper path, printing 
process, etc. Several managers communicate with the printer controller and each other to assign tasks to 
functions, which take care of the functional aspects. 

We depict a printing process function comprising several maintenance operations in Figure |7] Each 
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CPM = {Stb2Runl{CPM i-> 2}.JnRun{CPM i— > 3}.Run2Stbl{CPM i-> 4}.JnStb{CPM H> i}.l + l)* 
MOy = {OpStartij{MOij h+ 2}._OpFin i \{MO ij h-> 7}.l + l)* 

PC, = (jSoftDlnj{PCi i-> 2}.(_HardDlm{PCi 3}._OpFiml{PCi ^ + -OpFinP.{PCi H> i}.l) + 

_0pFl/I;?.l + l)* 

MS,- = (SchO peril {MS i i— > 2} ._ExOpen{MSi ^ 3}._OpFin i c !{MS i H> i}.l + l)* 
PPM = {_NewJob{TPM H- 2}.JobFin{TPM \-+ 1}A + 1)* 

^ = ^.OpFin,.?,.^?,,.^!?} (CPM || (H^MS,-) || (.,.,., ,M0y) || (H^PQ) || PPm) 

Figure 8: Process-algebraic specification of the plant 

function is hierarchically organized to: (1) controllers: Target Power Mode and Maintenance Schedul- 
ing, which receive control and scheduling tasks from the managers; (2) procedures: Status Procedure, 
Current Power Mode, Maintenance Operation, and Page Counter, which handle specific tasks and actu- 
ate devices, and (3) devices as hardware interface. Status Procedure is responsible for coordinating the 
other procedures given the input form the controllers. The control problem is to synthesize a supervisory 
coordinator that ensures that quality of printing is not compromised by timely performing maintenance 
procedures, while interrupting ongoing print jobs as little as possible. We specify the coordination rules 
that ensure safe behavior of the system below. 

4.1 Process- Algebraic Specification 

We briefly describe the procedures that comprise the plant, whose process-algebraic specification is 
given in Figure [8] We assume that the page counters are indexed by the set /, whereas for each counter 
i there are /, maintenance procedures to be triggered. Also, labels of uncontrollable events begin with 
an underscore. Furthermore, we identify states by means of variable observation, i.e., we incorporate 
the observer inside the plant specification, so we assign the variables MO (i to Maintenance Operation 
ij, PO, to Page Counter i, MS, to Maintenance Scheduling i, TPM to Target Power Mode, and CPM to 
Current Power Mode for j E 7, and i € /. Initially, the variables are set to 1 , which identifies the first 
state. The plant model is depicted in Figure [U where Printing Process Function is defined by PPF and 
llpgp/? denotes the parallel composition of the processes in P. 

Current Power Mode sets the power mode to run or standby depending on the enabling signals 
(Stb2Run and Run2Stb) from Status Procedure, and sends back feedback by employing JnRun and 
JnStb, respectively. Maintenance Operation ij for j G 7, and i G / either carries out a maintenance 
operation, started by jOpStartij or it is idle. The confirmation is sent back by the events jOpFinijl for 
j G /, and i € /, which synchronize with Maintenance Scheduling and Page Counter. Page Counter i 
for i G / counts the printed pages since the last maintenance and sends signals JSoftDlrij and MardDlni, 
when soft or hard deadlines are reached, respectively. It is responsible for the set of maintenance proce- 
dures in Jj. A soft deadline signals that maintenance should be performed, but it is not yet compulsory if 
there are pending print jobs. A hard deadline is reached when maintenance of the printing process must 
be performed to ensure quality of the print. The page counter is reset, triggered by the synchronization 
on JDpFifijp., each time that maintenance is finished. The controller Target Power Mode sends signals 
regarding incoming print jobs to Status Procedure by JVewJob, which should set the printing process 
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to run mode for printing and standby mode for maintenance and power saving. When the print job is 
finished, the signal JVoJob is sent. Maintenance Scheduling i for i G / receives a request for maintenance 
with respect to expiration of Page Counter i from Status Procedure, by the signal SchOpert and forwards 
it to the manager. The manager confirms the scheduling with the other functions and sends a response 
back to the Status Procedure, using _ExOperj. It also receives feedback from Maintenance Operation that 
the maintenance is finished in order to reset the scheduling, again triggered by jOpFinip.. 



4.2 Coordination Requirements 

Status Procedure adheres to several coordination rules: 

1) Maintenance operations can be performed only when Printing Process Function is in standby. 
This state exclusion property requires a maintenance operation ij to be in progress, identified by MOij = 
2, only if the printer is in standby, i.e., CPM = 1. Thus, we specify that the following must always hold: 

^(CPM^\A\/ ieIJeJi MO i j = 2) (5) 

2) Maintenance operations can be scheduled only if soft deadline has been reached and there are no 
print jobs in progress, or a hard deadline is passed. We schedule a maintenance operation ij for j G /; 
using the signal SchOperj for i G /. Soft and a hard deadline for Page Counter i is identified by PC, = 2 
and PCi = 3, respectively, leading to 

SchOperM ^ ^ = ^ ypCj = 3 (6) 

for every i G /. 

3) Maintenance operations can be started only after being scheduled. For every j G /, and i G /. 
Thus, we relate OpStartij with the corresponding maintenance scheduler: 

0pS ^ J ^MS i = 3. (7) 



4) The power mode of the printing process function must follow the power mode dictated by the 
managers, unless overridden by a pending maintenance operation. We model this requirement separately 
for switching from run to standby power mode and vice versa. We can switch from run to standby if this 
is required by the manager, i.e., there is a new print job, and there is no need to start a maintenance 
operation. This is modeled as 

StbiRunU TPM = 2 A A ieI MSt ^3. (8) 

Contrariwise, we switch to Standby if there is no pending job or maintenance operation: 

Run2Stb ! ? ^ = t v V . £/ = 3 . (9) 

The set of parameterized data-based coordination requirements is given by the expressions (5) - (9). 



4.3 Supervisor Synthesis 

For any value of the parameters for the index sets / and 7,- for i G /, we can instantiate a plant and synthe- 
size a supervisor. For the sake of clarity, we illustrate the situation when there is only one maintenance 
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procedure. We omit the unnecessary indices of the data variables. The supervisor sends the control sig- 
nals upon observation of certain data assignments, which are given in the form of guards. The indices 
of the guards correspond to the indices of the control requirements that concern the control signal. Note 
that the state-exclusion requirement is treated as a global invariant, whereas no termination option of the 
plant is disabled. The guards have been synthesized as follows [17]: 

g(, = (PC = 2 A TPM = 1)\JPC = 3 g 7 = CPM = 1 A MS = 3 

g% ^MS^3A TPM = 2AM0^2 g 9 = (MS + 3 A TPM = 1) V MS = 3. 

The supervisor has the syntax form restricted by (1) and it is given by: 

5= (g t :^SchOper\.\+g 7 :-^OpStart\.l+ g% Stb2Run\ .1 + g 9 :^ RurilStM A + l) . 

To illustrate the process of supervision, we consider the event StblRun. It is not difficult to deduce, 
e.g., that initially the event Stb2Run is not enabled since then all variables are assigned the value of 1. 
This corresponds to the situation where there are not print jobs waiting to be executed, so there is no 
reason to turn the power of the printer on. Similarly, a maintenance operation can be started only if the 
printer is in standby mode, identified by CPM = 1, and the operation has been successfully scheduled, 
identified by MS = 3. 

5 Concluding Remarks 

We developed a process theory encompassing communicating processes with data and generic commu- 
nication actions. We applied the developed theory to model supervisory control feedback loops with 
data observations, where we distinguish between the observation and control flow of information. We 
classified the processes modeling the unsupervised system and the supervisory controller to capture their 
specific roles. To capture the notion of controllability, which identifies the set of feasible supervisory 
controllers, we employed the behavioral relation partial bisimulation and we extended the notion for 
the new setting. We casted the process of supervisory controller synthesis in a model-based systems 
engineering framework, for which implementation we employ state-of-the-art tools. To illustrate our 
approach, we reiterated on an industrial study dealing with coordination of maintenance procedures in 
a printing process of a high-tech printer. We demonstrated that our approach is capable of successfully 
modeling the interaction in the supervisory control loop and offers a compact representation of the model 
of the supervisory controller. 
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